[33026] in Kerberos
Re: Kerberos5 + SSH Questions
daemon@ATHENA.MIT.EDU (Lee Eric)
Mon Jan 3 19:26:03 2011
MIME-Version: 1.0
In-Reply-To: <878vz1ippg.fsf@windlord.stanford.edu>
Date: Tue, 4 Jan 2011 08:25:36 +0800
Message-ID: <AANLkTikvrCYsQBJ_1uoY5Ok_BdoajKn6uidoSu8EcNeD@mail.gmail.com>
From: Lee Eric <openlinuxsource@gmail.com>
To: Russ Allbery <rra@stanford.edu>
Cc: kerberos@mit.edu, Brian Candler <b.candler@pobox.com>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Sorry guys. I notice that I have attached the file but seemed ml
ignored that. So I will paste here. Thanks very much.
==========Client krb5.conf==========
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HERDINGCAT.INTERNAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
HERDINGCAT.INTERNAL = {
kdc = ns.herdingcat.internal
admin_server = ns.herdingcat.internal
}
[domain_realm]
.herdingcat.internal = HERDINGCAT.INTERNAL
herdingcat.internal = HERDINGCAT.INTERNAL
==========Server krb5.conf==========
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HERDINGCAT.INTERNAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
HERDINGCAT.INTERNAL = {
kdc = ns.herdingcat.internal
admin_server = ns.herdingcat.internal
}
[domain_realm]
.herdingcat.internal = HERDINGCAT.INTERNAL
herdingcat.internal = HERDINGCAT.INTERNAL
==========Client ssh_config==========
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Host *
GSSAPIAuthentication yes
ForwardX11Trusted yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
==========Server sshd_config==========
Protocol 2
SyslogFacility AUTHPRIV
MaxAuthTries 6
RSAAuthentication no
PubkeyAuthentication no
PasswordAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication yes
KerberosOrLocalPasswd yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
==========Client klist output==========
[ericlee@client1 ~]$ kinit -f
Password for ericlee@HERDINGCAT.INTERNAL:
[ericlee@client1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: ericlee@HERDINGCAT.INTERNAL
Valid starting Expires Service principal
01/03/11 07:59:34 01/04/11 07:59:28
krbtgt/HERDINGCAT.INTERNAL@HERDINGCAT.INTERNAL
renew until 01/03/11 07:59:34
01/03/11 08:00:41 01/04/11 07:59:28
host/ns.herdingcat.internal@HERDINGCAT.INTERNAL
renew until 01/03/11 07:59:34
==========Client ssh -vvv login output==========
[ericlee@client1 ~]$ ssh -vvv ericlee@ns.herdingcat.internal
OpenSSH_5.4p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to ns.herdingcat.internal [172.16.14.1] port 22.
debug1: Connection established.
debug1: identity file /home/ericlee/.ssh/id_rsa type -1
debug1: identity file /home/ericlee/.ssh/id_rsa-cert type -1
debug1: identity file /home/ericlee/.ssh/id_dsa type -1
debug1: identity file /home/ericlee/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
debug1: match: OpenSSH_5.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.4
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 145/256
debug2: bits set: 500/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: host ns.herdingcat.internal filename
/home/ericlee/.ssh/known_hosts
debug3: check_host_in_hostfile: host ns.herdingcat.internal filename
/home/ericlee/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: host 172.16.14.1 filename
/home/ericlee/.ssh/known_hosts
debug3: check_host_in_hostfile: host 172.16.14.1 filename
/home/ericlee/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'ns.herdingcat.internal' is known and matches the RSA host key.
debug1: Found key in /home/ericlee/.ssh/known_hosts:1
debug2: bits set: 514/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/ericlee/.ssh/id_rsa ((nil))
debug2: key: /home/ericlee/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list gssapi-keyex,gssapi-with-mic
debug3: preferred
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred:
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 172.16.14.1.
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (gssapi-keyex,gssapi-with-mic).
Regards,
Eric
On Tue, Jan 4, 2011 at 6:31 AM, Russ Allbery <rra@stanford.edu> wrote:
> Brian Candler <B.Candler@pobox.com> writes:
>> On Mon, Jan 03, 2011 at 09:53:45PM +0000, Simon Wilkinson wrote:
>
>>> Yes. They added it in Fedora 13, and I'm told RHEL6 also ships with
>>> this patch enabled. Pretty much the only vendors that don't have GSSAPI
>>> key exchange support now are the BSDs.
>
>> Any idea about the Debian-derivatives? I checked on ubuntu 10.04 and
>> I didn't see this option commented out in /etc/ssh/sshd_config
>
> Debian and Debian derivatives have had this patch applied for quite a
> while. I forget the point at which ssh-krb5 was merged in with ssh, but
> it was at least by etch. And it was available as ssh-krb5 for longer than
> that.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
